Dyre Configuration Dumper

Share Now


It’s been over a year since Dyre first appeared, and with a rise of infections in 2015, it doesn’t look like the attackers are stopping anytime soon. At PhishMe we’ve been hit with a number of Dyre attacks this week, so to make analysis a little easier, I tossed together a quick python script that folks can use for dumping the configurations for Dyre.

To dump the memory, you can use Process Explorer to do a “full dump” on the process they inject into. (Typically the top-most svchost.exe, sometimes explorer.exe) Here’s what the output looks like:

Figure 1 Dyre Config Dump
Figure 1 — Dyre Configuration Dumper

By adding the “-c” flag to the end of it, we can get more information about the configs the attackers have in memory. Here’s a quick snapshot:

Figure 2 More Config Dumps
Figure 2 — More Dyre Config Dumps

You can download the script from here. Happy config dumping!

Read More Related Phishing Blog Posts


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.

This site is registered on wpml.org as a development site.